Aave DIVA Wrapper

Summary

The _registerCollateralToken function does not verify whether the Aave V3 reserve associated with a given collateral token has been deprecated. As a result, deprecated reserves can be registered as collateral tokens, potentially leading to unexpected behavior or loss of funds when interacting with the DIVA Protocol.

Vulnerability Details

The _getAToken function retrieves the aToken address associated with the provided collateral token from Aave V3. However, the implementation does not check if the corresponding reserve has been marked as deprecated on Aave. Deprecated reserves may no longer be reliable or supported for lending, borrowing, or other operations, introducing a risk to the system.

Aave provides mechanisms, such as getConfiguration and its data field, to check if a reserve is active, frozen, or otherwise deprecated. These checks are absent in the current implementation.

Impact

If a deprecated reserve is registered:

1. Loss of Funds: Users may unknowingly deposit collateral tied to deprecated reserves, leading to loss or inability to withdraw funds if the reserve becomes unsupported.

2. Operational Risks: Interactions with deprecated reserves might lead to failures in critical functions, breaking downstream processes in the protocol.

3. Reputation Damage: Registering unsupported or outdated tokens could undermine trust in the protocol.

Tools Used

Manual code review
Aave V3 documentation review

Recommendations

1. Add Deprecation Check: Use Aave's getConfiguration function to verify if the reserve corresponding to _aToken is active and not deprecated before registering it.

2. Implement Tests: Add test cases to simulate scenarios where _collateralToken maps to deprecated reserves, ensuring they are properly rejected.

3. Fail Gracefully: Emit an event to indicate that the token could not be registered due to reserve deprecation.